rules/findings/m365/microsoft_fabric/ms-fabric-guest-user-access-not-restricted.json
|
{
"args": [ ], "provider": "Microsoft365", "serviceType": "Fabric", "serviceName": "Microsoft 365", "displayName": "Ensure guest user access is restricted", "description": "This setting allows business-to-business (B2B) guests access to Microsoft Fabric, and contents that they have permissions to. With the setting turned off, B2B guest users receive an error when trying to access Power BI. The recommended state is `Enabled for a subset of the organization` or `Disabled`.", "rationale": "Establishing and enforcing a dedicated security group prevents unauthorized access to Microsoft Fabric for guests collaborating in Azure that are new or assigned guest status from other applications. This upholds the principle of least privilege and uses role-based access control (RBAC). These security groups can also be used for tasks like conditional access, enhancing risk management and user accountability across the organization.", "impact": "Security groups will need to be more closely tended to and monitored.", "remediation": { "text": "\r\n\t\t\t###### Restrict guest user access: \r\n\t\t\t1. Navigate to Microsoft Fabric https://app.powerbi.com/admin-portal \r\n\t\t\t2. Select Tenant settings. \r\n\t\t\t3. Scroll to Export and Sharing settings. \r\n\t\t\t4. Set Guest users can access Microsoft Fabric to one of these states: \r\n\t\t\t * State 1: Disabled \r\n\t\t\t * State 2: Enabled with Specific security groups selected and defined. \r\n\r\n\t\t\t**Important** : If the organization doesn\u0027t actively use this feature it is recommended to keep it Disabled. \r\n\t", "code": { "powerShell": null, "iac": null, "terraform": null, "other": null } }, "recommendation": null, "references": [ "https://learn.microsoft.com/en-us/fabric/admin/service-admin-portal-export-sharing" ], "compliance": [ { "name": "CIS Microsoft 365 Foundations Benchmark", "version": "7.0.0", "reference": "9.1.1", "profile": [ "E3 Level 1", "E5 Level 1" ] } ], "level": "medium", "tags": [ ], "rule": { "path": "m365_fabric_tenant", "subPath": null, "selectCondition":{ "conditions": [ [ "settingName", "eq", "AllowGuestUserToAccessSharedContent" ] ] }, "query": [ { "filter": [ { "conditions": [ [ "enabled", "eq", "True" ], [ "enabledSecurityGroups.Count", "gt", "0" ] ], "operator": "and" } ] }, { "connectOperator": "or", "filter": [ { "conditions": [ [ "enabled", "eq", "False" ] ] } ] } ], "shouldExist": true, "returnObject": null, "removeIfNotExists": null }, "output": { "html": { "data": { "properties": { "title": "Title", "tenantSettingGroup": "Group", "enabledSecurityGroups": "Security Groups", "enabled": "Enabled" }, "expandObject": null }, "table": "default", "decorate": [ { "itemName": "Enabled", "itemValue": "enabled", "className": "badge badge-danger badge-xl" } ], "emphasis": [ ], "actions": { "objectData": { "properties": [ "title", "enabled", "location", "tenantSettingGroup", "enabledSecurityGroups" ], "expandObject": null, "limit": null }, "showGoToButton": "True", "showModalButton": "True", "directLink": null } }, "text": { "data": { "properties": { }, "expandObject": null }, "status": { "keyName": [ ], "message": "Ensure Guest user access is restricted", "defaultMessage": "Ensure Guest user access is restricted" }, "properties": { "resourceName": null, "resourceId": null, "resourceType": null }, "onlyStatus": false } }, "idSuffix": "fabric_guest_user_access_not_restricted", "notes": [ ], "categories": [ ], "immutable_properties": [ ], "id": "microsoft365_2150" } |